Monday, April 17, 2017

The YARA tool is a multi-platform program running on Windows, Linux and Mac OS X.
The YARA is designed to help malware researchers identify and classify malware samples.
It’s been called for security researchers and everyone else.
Yara provides an easy and effective way to write custom rules based on
strings or byte sequences and allows you to make your own detection tools.
You can create descriptions of malware families based on textual or binary patterns or whatever you want to describe.
This descriptions or rules consists of a set of strings and a boolean expression which determine its logic.
The official website can be found here.
The
First you need to install the yara tool under your Linux OS.
I used Fedora 25 distro.

The words strings and Conditions are two important keywords: strings and condition.
The rule work with strings and this strings are the unique values to search for, while condition specifies your detection criteria.
Some example with con:

all of them /* all strings in the rule */
any of them /* any string in the rule */
all of ($a*) /* all strings whose identifier starts by $a */
any of ($a,$b,$c) /* any of $a, $b or $c */
1 of ($*) /* same that "any of them" */